Skip Navigation

March 10, 2023 |

What is cyber insurance and does your business really need it?

Loading table of contents...

You probably already have insurance implemented to offset common business risks: product liability, general liability, and auto insurance come to mind.  

As cyberattacks keep growing in severity and frequency, more businesses turning to cyber insurance policies to protect their bottom line during a security incident. 

What is cyber insurance? 

A cyber insurance policy is essentially liability insurance for cyber-related events like a security incident or data breach. Cyber insurance acts as a safety net for costs incurred because of a compromise. 

Like other forms of insurance, individual policies vary according to a set of criteria. Carriers will consider your business class, level of risk, and industry before deciding on your coverage and premiums. 

Why would a business want cyber insurance?  

Industry experts are beginning to consider insurance a core component of all cybersecurity strategies, not just the most mature. In a sense, cyber insurance has almost completely transitioned from a luxury to a must-have. 

Let’s dive into three possible reasons the cyber insurance adoption rate nearly doubled in only four years.  

Cyber attacks are a matter of when, not if 

The unfortunate truth is you can’t prevent a cyberattack from happening. Attacks have become increasingly frequent across the board, thanks in no small part to the rise of automated attack toolkits, cybercrime as a service, and growing black markets.

The lone hacker in their basement is no longer the biggest concern—it’s now the thriving marketplace where cybercriminals buy and sell malware or hire ransomware payment negotiators. 

Cyber insurance offloads a lot of financial risk 

In the first half of 2022, the average cost of a cyber insurance claim made by a small business was $139,000. Depending on the extent of the breach, these costs can very quickly rise into millions of dollars between: 

  • Lost business (missed sales due to system downtime and cancelled contracts)
  • Financial redirection (threat actor funnels money to their own account)
  • Incident response (investigating, containing, and eliminating the cyber threat)
  • Lawsuits (class-actions stemming from compromised customer data)
  • Fines and penalties (fees from non-compliance with industry and country regulations)
  • Ransom (direct cash loss from paying a ransom)
  • Reputation damage (lost customers and higher costs to acquire new customers)

A comprehensive cyber policy transfers a lot of financial risk from the business to the insurance provider. This way, you won’t necessarily be forced to pay out of pocket for the damages that come with a cyberattack.

Not only will you be able to get back to business faster, but cyber insurance can also help alleviate the mental toll of an attack. 

Good policies reduce the stress of an attack 

A cyber insurance policy is more than a financial safety net. An attack is an incredibly stressful event to experience and there’s a lot of pressure to take the right steps in response, which is challenging if you don’t have professional guidance. 

One major benefit of cyber insurance is the provider often issues a breach coach who can walk you through all the things you should be thinking about in the aftermath of an attack.

The coach can help you navigate applicable privacy laws, like the Personal Information Protection and Electronic Documents Act (PIPEDA), and advise on cybersecurity best practices that will lower the chances of another incident.  

Who needs cyber insurance? 

Every business would benefit from an insurance policy for a number of reasons:

  • Threat actors target all verticals because all companies have valuable assets.
  • We live in a connected world with technology that creates risk.
  • Protections can and do fail.
  • Employees make mistakes.
The above are true for all businesses, no matter their size, industry, or location. That said, data suggests that certain verticals such as healthcare experience more frequent and damaging attacks—possibly due to heightened industry regulations.  

How has cyber insurance evolved? 

Cyber insurance is a relatively new type of insurance but has evolved very quickly. Until recently, getting cyber insurance was relatively straightforward. Unlike highly developed forms of insurance, such as auto, there was minimal information about cybersecurity trends and risks. As a result, policies were low-cost and required very little underwriting. 

When attacks became more frequent and damaging, carriers realized they took on too much risk. Ransomware became particularly prevalent, claims skyrocketed, and insurers began to lose money. The Insurance Bureau of Canada’s National Quarterly Report Summer 2022 states that “over the past three years, [cyber] insurers paid out $2.30 in claims and operating expenses for every dollar they earned in premiums.” 

Now businesses are seeing premium increases, coverage exclusions, sub-limits, and more in their cyber insurance policies. In Canada specifically, experts have seen many insurers capping coverage at $3–5 million, a far cry from the $10 million options offered not too long ago.  

What to look for in a cyber insurance policy 

Not all cyber insurance is created equal, making it imperative to understand your policy and coverage. When shopping for cyber insurance, here are some key elements to look for:  

First and third-party liability 

Both first and third-party liability is important in a cyber insurance policy because they cover two distinct areas of an attack.  

  • First-party liability helps cover the expenses, including response and recovery, that occur as a result of a cybersecurity incident. 
  • Third-party liability protects you if a third-party (customer, partner, vendor) files a claim against you for damages they incurred from the attack.  

Crime coverage 

Crime coverage covers money lost from financial redirection, ransomware payments, and similar crime-related activity. In many cases, this section of the policy is what has changed the most in recent years. 

Crime coverage may not be offered at all or may be subject to sub-limits (for example, if you have one million in liability limits the crime coverage is lowered to $50,000). 

Prior acts 

When you put a cyber insurance policy in place, you want to be sure that any in-progress attacks are covered. Cybercriminals commonly gain initial access to a network and then lay low for weeks, even months. They just collect information and wait until it’s time to execute the next stage of their attack. 

If your policy does not include prior acts and an investigation finds that an attacker accessed your network before the policy began, you may be on the hook for any financial damages.    

Fines and penalties 

Between PIPEDA, the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), there are more regulations and compliance requirements than ever before.

The penalties for non-compliance can be hefty. The right insurance policy will help you avoid having to pay for fines out of pocket. 

Coverage for all devices 

With more businesses than ever embracing a hybrid work environment, you must ensure your cyber insurance policy covers all your devices including phones, tablets, and other corporate-issued devices employees depend on for work. 

Reputational harm 

A cyber insurance policy can help with damage to your reputation following a breach. This could mean hiring a PR or crisis communications team that can contact clients, mend relationships, and take other actions to improve your company’s reputation. 

Cyber insurance vs cybersecurity tools

Even with all the strongest protections in place, there is still a level of risk that a cyberattack could happen, and cyber insurance serves as a financial buffer.  

Businesses often wonder how to get the best cyber insurance premium and if investing in cybersecurity measures will impact premiums.

As of right now, having good cybersecurity does not directly discount your insurance payments. That said, cyber insurance providers will often ask what protective measures you have in place. They’ll ask if you have multi-factor authentication implemented, threat monitoring, and things of that nature. 

If you take steps like these to secure your business, you may have access to more carriers and, in turn, potentially reduce the rate you pay. You could also be offered higher coverage with fewer sub-limits or exclusions. 

Whether through the costs associated with an incident or concerns over strained security budgets, businesses have faced considerable expenses when it comes to cybersecurity.

For more insights on the cost of tools, technology, expertise, the risks of a breach—and how businesses can maximize their security budget without sacrificing protection—download The True Cost of Cyber Security eBook